Hi Jeremy, thanks for your answer.
On Fri, Jun 07, 2019 at 05:39:24PM +0100, Jeremy Harris via Exim-users wrote:
> On 07/06/2019 17:16, Marc MERLIN via Exim-users wrote:
> > Is my cipher list unsuitable? cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
>
> That's not a cipher list, it is the cipher that you negociated.
Oops, correct.
> With TLS1.3 certain TLS startup error types only become visible on the
> first read after the handshake call. I think you've hit one. The
> handling of these has been made a bit better post- 4.92
> (see eg. c15523829b). Is there any chance of you compiling a
> bleeding-edge version?
Sorry, I totally failed to give a required bit of info, which exim I have.
debian exim4 4.87-3+b1
I don't upgrade unless I have to, as a general policy :)
> Alternatively, disable TLS1.3 - the tls_require_ciphers options
> for the smtp transport is expanded, so you could make this
> google-specific.
So, I'm not much of an expert on TLS and crypto protocols in general.
I had a look at https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTreqciphgnu
and I tried these 3 options directly pasted in /var/lib/exim4/config.autogenerated
tls_require_ciphers = NORMAL:%COMPAT
tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0
tls_require_ciphers = SECURE128
In all 3 cases I got the same:
10:04:33 4558 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
10:05:27 4916 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
10:05:56 4954 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
and the mail delivery failed all 3 times.
Any idea what I should try?
Thanks,
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/
